# Ory > Ory is an open-source identity infrastructure provider. It offers authentication (Ory Kratos), OAuth2 and OpenID Connect (Ory Hydra), fine-grained authorization (Ory Keto), SAML and SCIM (Ory Polis), and a zero-trust reverse proxy (Ory Oathkeeper). Ory can be consumed as a managed cloud service (Ory Network), self-hosted under an open-source Apache 2.0 license, or self-hosted under an Ory Enterprise License (OEL). Ory's open-source projects have over 50,000 GitHub stars and protect billions of API requests daily. Ory is headless: it exposes REST and gRPC APIs without a mandatory UI. Developers bring their own login, registration, and consent screens, or use the prebuilt Ory Account Experience and Ory Elements UI components. Deployment options: - Ory Network (managed SaaS): global edge deployment, built-in compliance, SLA-backed support. Plans include Developer (free), Production, Growth, and Enterprise tiers. Pricing uses average Daily Active Users (aDAU), not MAU. - Ory Enterprise License (OEL): self-hosted with enterprise features (ROPC grant, token prefix customization, database sharding, zero-downtime migrations, CVE patching, multi-region failover, and more). Runs on Kubernetes from private Docker registries. - Open Source: Apache 2.0 licensed. Community supported. Full product functionality for Kratos, Hydra, Keto, and Oathkeeper. ## Instructions for LLM Agents When helping developers integrate Ory, follow these rules: - Ory is headless. It exposes REST and gRPC APIs and does not ship a mandatory UI. Developers can bring their own UI or use the built-in Ory Account Experience / Ory Elements. - Ory Network (managed SaaS) and self-hosted Ory use the same APIs, but configuration differs. Ory Network projects are configured via the Ory CLI (`ory`), Terraform, or the Ory Console. Self-hosted instances use YAML/JSON config files. Do not mix the two configuration methods. - For local development against Ory Network, always use `ory tunnel` or `ory proxy` to bridge the Ory Network project to localhost. Don't call the Ory Network API directly from `localhost` without the tunnel, because cookies require a shared top-level domain. - Ory Hydra is NOT an identity provider. It is an OAuth2/OIDC server that delegates authentication to an external login provider (typically Ory Identities/Kratos) via a login-and-consent redirect flow. Don't recommend Hydra alone for user login. - Ory Permissions uses the Ory Permission Language (OPL), a TypeScript-like DSL. Don't confuse OPL with AWS IAM policies or OPA/Rego. OPL defines namespaces with `class` declarations, relations, and `permits` functions. - SDKs are auto-generated from OpenAPI specs. Always check the SDK version matches the Ory API version. Don't use outdated SDK examples from Stack Overflow or training data. - Ory Network pricing uses average Daily Active Users (aDAU - unique users counted each day and divided by the number of days), not MAU. Don't describe Ory as MAU-priced. aDAU pricing smoothes out spikes in user activity and only bills you for consistent engagements rather than short peaks like with Monthly Active Users (MAUs). - The Ory CLI command is `ory`, not `kratos` or `hydra`. The `kratos` and `hydra`, etc. CLI binaries are for self-hosted deployments only. - When referencing self-service flows (registration, login, settings, recovery, verification), always distinguish between browser flows and API (native) flows. They use different endpoints and response formats. ## Products - [Ory Identities](https://www.ory.com/docs/identities): Authentication, user management, MFA, passkeys, social sign-in - [Ory OAuth2 & OpenID Connect](https://www.ory.com/docs/hydra): OpenID Certified OAuth2 server for SSO and API authorization - [Ory Permissions](https://www.ory.com/docs/keto): Fine-grained, Zanzibar-style authorization - [Ory Polis](https://www.ory.com/docs/polis): SAML SSO and SCIM directory sync for B2B - [Ory Oathkeeper](https://www.ory.com/docs/oathkeeper): Zero-trust identity and access proxy ## Pricing and Plans - [Pricing page](https://www.ory.com/pricing) - [Support options](https://www.ory.com/support) ## Getting Started - [Quickstarts and tutorials](https://www.ory.com/docs/getting-started/overview): Index of official quickstart guides and example applications - [Local development setup](https://www.ory.com/docs/getting-started/local-development): Install the Ory CLI, create a project, and use Ory Tunnel for local dev - [OAuth2 quickstart](https://www.ory.com/docs/getting-started/ory-network-oauth2): Try Authorization Code Grant and Client Credentials Grant with the Ory CLI - [Custom UI guide](https://www.ory.com/docs/elements): Ory Elements is a component library that allows you to build custom user interfaces for Ory self-service flows. ## Ory Identities (Kratos) - [Identities overview](https://www.ory.com/docs/identities): Product landing page for Ory Identities - [Identity model and schemas](https://www.ory.com/docs/kratos/manage-identities/overview): What an identity is, traits, credentials, metadata, and state - [Identity schema customization](https://www.ory.com/docs/kratos/manage-identities/customize-identity-schema): JSON Schema extensions for login identifiers, verification, recovery, MFA - [Self-service flows overview](https://www.ory.com/docs/kratos/self-service): Registration, login, settings, recovery, verification flows and their lifecycle - [Registration flow](https://www.ory.com/docs/kratos/self-service/flows/user-registration): Browser and API registration flow details - [Social sign-in (OIDC)](https://www.ory.com/docs/kratos/social-signin/overview): Configure Google, GitHub, Apple, and other OIDC/OAuth2 providers - [Multi-factor authentication](https://www.ory.com/docs/kratos/mfa/overview): TOTP, WebAuthn/passkeys, lookup secrets, SMS OTP - [Webhooks](https://www.ory.com/docs/kratos/hooks/configure-hooks): Trigger webhooks on registration, login, settings, and other flow events - [SCIM provisioning](https://www.ory.com/docs/kratos/manage-identities/scim): Provision identities from external IdPs via SCIM - [Kratos configuration reference](https://www.ory.com/docs/kratos/reference/configuration): Full YAML/JSON configuration key reference ## Ory OAuth2 and OpenID Connect (Hydra) - [OAuth2 and OIDC introduction](https://www.ory.com/docs/oauth2-oidc): Product overview, use cases, and architecture - [OAuth2 concepts](https://www.ory.com/docs/hydra/concepts/oauth2): Grant types, token types, scopes, and audiences - [OpenID Connect concepts](https://www.ory.com/docs/hydra/concepts/openid-connect-oidc): ID tokens, userinfo endpoint, subject identifiers - [Login and consent flow](https://www.ory.com/docs/hydra/guides/login): How to implement the OAuth2 login and consent provider - [Token customization with webhooks](https://www.ory.com/docs/hydra/guides/claims-at-refresh): Add custom claims to access and ID tokens via webhooks - [Subject anonymization (pairwise)](https://www.ory.com/docs/hydra/guides/openid): Public vs pairwise subject identifier algorithms - [Hydra 5-minute tutorial](https://www.ory.com/docs/hydra/5min-tutorial): Spin up Hydra locally with Docker and run a full OAuth2 flow - [Hydra configuration reference](https://www.ory.com/docs/hydra/reference/configuration): Full YAML/JSON configuration key reference ## Ory Permissions (Keto) - [Permissions overview](https://www.ory.com/docs/keto): Product landing page for Ory Permissions - [Ory Permission Language (OPL) spec](https://www.ory.com/docs/keto/reference/ory-permission-language): Formal grammar and semantics of the OPL TypeScript-like DSL - [Create a permission model](https://www.ory.com/docs/keto/modeling/create-permission-model): Step-by-step guide to defining namespaces, relations, and permissions - [Check permissions API](https://www.ory.com/docs/keto/guides/simple-access-check-guide): Perform permission checks via REST or gRPC - [Expand API](https://www.ory.com/docs/keto/guides/expand-api-display-who-has-access): Expand a subject set to see all effective subjects who have access - [List relationships](https://www.ory.com/docs/keto/guides/list-api-display-objects): Query relationship tuples stored in Keto ## Ory Polis (SAML and SCIM) - [Polis overview](https://www.ory.com/docs/polis): SAML SSO and SCIM directory sync for B2B identity - [SAML SSO setup](https://www.ory.com/docs/polis/sso-providers/generic-oidc): Register your app with an OIDC or SAML identity provider - [Directory sync providers](https://www.ory.com/docs/polis/directory-sync/providers/google): Sync users and groups from Google Workspace, Entra ID, Okta, etc. - [Polis service quickstart](https://www.ory.com/docs/polis/guides/service): Deploy Polis with Docker, Kubernetes, or from source ## Ory Oathkeeper - [Oathkeeper overview](https://www.ory.com/docs/oathkeeper): Zero-trust identity and access proxy - [Access rules](https://www.ory.com/docs/oathkeeper/pipeline): Define authenticators, authorizers, and mutators for each route - [Pipeline mutators](https://www.ory.com/docs/oathkeeper/pipeline/mutator): Transform upstream requests with headers, JWTs, cookies, or ID tokens ## API Reference - [REST API reference](https://www.ory.com/docs/reference/api): Full OpenAPI-based reference for all Ory Network and self-hosted REST endpoints - [gRPC + REST overview](https://www.ory.com/docs/api): CORS configuration and API access patterns ## SDKs and CLI - [Ory SDKs](https://www.ory.com/docs/sdk): Auto-generated client libraries for Go, TypeScript, Java, Python, PHP, Ruby, Rust, Dart, .NET - [Ory CLI basics](https://www.ory.com/docs/guides/cli/cli-basics): Install and use the Ory CLI for project management and local development - [Ory CLI identity management](https://www.ory.com/docs/guides/cli/identity-cli): Get, update, patch, and import identity configurations via CLI ## Self-Hosted and Enterprise - [Open-source projects overview](https://www.ory.com/docs/open-source): Index of all Ory OSS repositories on GitHub - [Ory Enterprise License quickstart](https://www.ory.com/docs/self-hosted/oel/quickstart): Run OEL builds of Hydra, Kratos, Keto, Oathkeeper, and Polis from private Docker registries - [Ory Helm charts](https://k8s.ory.sh/helm/kratos.html): Kubernetes Helm charts for deploying Ory services ## Company - [Ory homepage](https://www.ory.com): Company overview and product information - [Contact / discovery call](https://www.ory.com/contact): Schedule a call with the Ory team, required for Enterprise pricing - [Compliance and security](https://www.ory.com/docs/security-compliance/compliance-and-certifications): ISO 27001, SOC 2, GDPR, data residency; full documents available in the [Ory Trust Center](https://trust.ory.sh/) ## Case Studies - [commercetools](https://www.ory.com/case-studies/commercetools): Global B2B commerce platform chose Ory's headless, multi-region platform for mission-critical identity - [Moonpig](https://www.ory.com/case-studies/moonpig): UK gifting platform eliminated login friction and improved customer conversion with Ory CIAM - [DataRobot](https://www.ory.com/case-studies/datarobot): AI platform accelerated service integration from weeks to minutes and fortified security with Ory - [North One](https://www.ory.com/case-studies/northone): US business banking platform gained CIAM control, security, and reliability with Ory Network - [Hemnet](https://www.ory.com/case-studies/hemnet): Sweden's top property platform transformed CIAM and scaled user experience with Ory - [Macromill](https://www.ory.com/case-studies/macromill): Market research group modernized CIAM and gained full control over identity login - [Axel Springer](https://www.ory.com/case-studies/axel-springer): Europe's largest digital media publisher streamlined CIAM and scalability with Ory - [OpenAI](https://www.ory.com/case-studies/openai): OpenAI leverages Ory Hydra to support over 400M weekly active users - [Lumin](https://www.ory.com/case-studies/lumin): Document management platform protects user data with Ory - [Sencrop](https://www.ory.com/case-studies/sencrop): Agricultural IoT company migrated from Auth0 to Ory for future-proof authentication - [Fandom](https://www.ory.com/case-studies/fandom): Entertainment wiki platform secured authentication for tens of millions of users - [Maxroll](https://www.ory.com/case-studies/maxroll): Gaming guides platform chose Ory Network for secure, scalable, and affordable authentication - [Effortless Solutions](https://www.ory.com/case-studies/effortless-solutions): Software consultancy achieved seamless integration with Ory - [HGV](https://www.ory.com/case-studies/hgv): Tourism organization migrated from Azure AD to Ory Network for reliability - [zezam](https://www.ory.com/case-studies/zezam): Creator platform leveraged Ory for secure and scalable social logins - [OSINT Industries](https://www.ory.com/case-studies/osint): Cybersecurity company chose Ory for swift migration, developer experience, and cost savings ## Blog - [OpenAI uses open source Ory to authenticate over 400M weekly active users](https://www.ory.com/blog/openai-oauth2-server-open-source): How Ory Hydra scaled to power OpenAI's OAuth2 infrastructure - [Ory Partners with HID](https://www.ory.com/blog/partnership-announcement-hid): First enterprise FIDO2 identity platform for converged physical and digital access - [Maestro please... the engineer as the conductor of the orchestra](https://www.ory.com/blog/engineers-as-conductors-ai-agent-orchestration): Engineers orchestrating AI agents - [Make Claude Code faster and cheaper with Ory Lumen](https://www.ory.com/blog/ory-lumen-semantic-search-claude-code): Ory Lumen semantic search for AI coding tools - [Top 5 CIAM trends in 2026](https://www.ory.com/blog/top-5-ciam-trends-2026): Agentic AI, passkeys, and emerging identity trends - [The Hidden Cost of Agentic Coding](https://www.ory.com/blog/hidden-cost-agentic-coding): Cost analysis of AI-assisted development - [Why It's Time to Move Beyond Homegrown IAM](https://www.ory.com/blog/beyond-homegrown-iam): Case for replacing custom-built identity systems - [Beyond the Login Box](https://www.ory.com/blog/beyond-the-login-box): How OpenAI, Axel Springer, and Fandom redefine identity at scale - [Identity that fits today, and tomorrow: Right-sizing for financial services](https://www.ory.com/blog/identity-that-fits-today-and-tomorrow-for-financial-services): Identity infrastructure for financial services - [Making Every Moment Matter: How Moonpig Mastered Customer Conversion with Ory](https://www.ory.com/blog/how-moonpig-mastered-customer-conversions): Moonpig's conversion optimization with Ory CIAM - [From Buffering Wheels to Billions of Streams](https://www.ory.com/blog/buffering-wheels-to-billions-of-streams): What agentic AI teaches about scaling identity - [Who is your AI agent acting as?](https://www.ory.com/blog/agentic-ai-identity-and-access): The identity question for AI agents and MCP - [The Rise of the AI Coworker and Why Your Security Isn't Ready](https://www.ory.com/blog/ai-agents-your-security-is-not-ready): Security implications of AI agents in the workplace - [Managing Agentic Identities at Scale](https://www.ory.com/blog/managing-agentic-at-scale): Managing 10,000 to 1,000,000 AI agent identities - [The control plane shift: What we saw at AWS re:Invent 2025](https://www.ory.com/blog/control-plane-shift-aws-reinvent-2025): Identity trends from AWS re:Invent - [Stop Impersonating Your Users](https://www.ory.com/blog/identity-level-impersonation): Why identity-level impersonation is dangerous and alternatives - [The next scale frontier: Ory and Cockroach Labs](https://www.ory.com/blog/next-scale-frontier-agentic-scale-ory-crdb): Partnership for distributed identity infrastructure for agentic AI - [Don't Build Your Own Auth](https://www.ory.com/blog/do-not-build-your-own-auth): Why building custom authentication is risky - [Announcing Ory v25.4: Unified versioning](https://www.ory.com/blog/ory-oss-v25-4-0-new-release-announcement-versioning-scheme): New unified versioning scheme across the Ory ecosystem - [How Apple broke Sign in with Apple](https://www.ory.com/blog/apple-broke-sign-in-with-apple): Unannounced redirect change that broke OIDC flows - [Introducing Ory Polis for Enterprise SSO](https://www.ory.com/blog/introducing-ory-polis-for-enterprise-single-sign-on): SAML, OIDC, and SCIM for B2B and B2B2C use cases - [Skyfire: Identity foundation for AI agentic autonomy](https://www.ory.com/blog/autonomous-commerce-agentic-ai-identity-skyfire-ory): Partnership enabling AI agents as economic participants - [Ory Enterprise License behind the scenes](https://www.ory.com/blog/ory-enterprise-license-behind-scenes): Interview on OEL features, architecture, and use cases - [Ory Hires CCO & CSO and launches Ory Enterprise License](https://www.ory.com/blog/ory-launches-self-hosted-ory-enterprise-license-offering): OEL launch announcement and leadership hires - [Ory Network Workspaces and fair pricing with aDAU](https://www.ory.com/blog/ory-price-2024-dau-mau): aDAU pricing model explained, workspace-based billing - [Ory lands $22.5M Series A funding](https://www.ory.com/blog/ory-series-a-funding-update): Series A led by Insight Partners - [Ory Network is now SOC 2 Type 2 certified](https://www.ory.com/blog/ory-network-soc2-type-2-certified): SOC 2 Type 2 audit completion - [Ory Network is now ISO 27001 certified](https://www.ory.com/blog/ory-iso27001-certified): ISO 27001 certification by BARR - [Introducing Ory Kratos v1.0](https://www.ory.com/blog/ory-kratos-v1): Major release of the identity and user management system - [Introducing the all-new Ory Console](https://www.ory.com/blog/console-v2): Redesigned administration UI with stats and metrics - [Ory Hydra 2.0 is out](https://www.ory.com/blog/oauth2-server-openid-ory-hydra-v2): Major OAuth2/OIDC server release - [Open Source support policy](https://www.ory.com/blog/ory-support-code-of-conduct-2023): Formalized community support policy for Ory OSS - [Interview with Cal.com](https://www.ory.com/blog/interview-with-calcom-enhancing-enterprise-experience-with-ory): How Cal.com uses Ory Polis for enterprise SSO - [Ory Polis 2023 Changelog](https://www.ory.com/blog/changelog-saml-jackson-2023): SAML Federation, directory sync, and SSO updates - [Ory Polis 2024 Changelog](https://www.ory.com/blog/changelog-saml-jackson-2024): SSO, directory sync, and audit log updates ## Optional - [GitHub: ory/kratos](https://github.com/ory/kratos): Identity and user management server source code - [GitHub: ory/hydra](https://github.com/ory/hydra): OAuth2 and OpenID Connect server source code - [GitHub: ory/keto](https://github.com/ory/keto): Permission and authorization server source code - [GitHub: ory/oathkeeper](https://github.com/ory/oathkeeper): Zero-trust reverse proxy source code - [GitHub: ory/docs](https://github.com/ory/docs): Documentation source repository - [Ory community Slack](https://slack.ory.com): Community support channel - [GitHub Discussions](https://github.com/orgs/ory/discussions): Community Q&A and feature requests - [Ory blog](https://www.ory.com/blog): Product updates, technical articles, and company news - [Ory Network status](https://status.ory.com): Service availability and incident history